500 lines
19 KiB
Bash
Executable File
500 lines
19 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
source ./config.env
|
|
|
|
echo "================================================================"
|
|
echo "Did ou configure your './config.env' before running this script?"
|
|
echo "================================================================"
|
|
|
|
while true; do
|
|
read -p "Do you want to continue? y/N: " answer
|
|
if [[ $answer == "y" ]]; then
|
|
break
|
|
else
|
|
echo "Aborting..."
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
dnf -y install git-core;
|
|
|
|
echo "Checking for already deployed stuff and container and cleanup all.."
|
|
|
|
podman pod kill "openxpki_pod"
|
|
podman pod rm -f "openxpki_pod"
|
|
|
|
if [ -d $OPENXPKI_CONFIG_DIR ] ; then
|
|
echo "Found old $OPENXPKI_CONFIG_DIR - deleting.";
|
|
rm -Rf /opt/openxpki/
|
|
echo "Creating empty folders."
|
|
mkdir -p /opt/openxpki/{db,dbsock,pkisock,log}
|
|
else
|
|
echo "No old deployments found - Creating from scratch."
|
|
mkdir -p /opt/openxpki/{db,dbsock,pkisock,log}
|
|
fi
|
|
|
|
if [ -d $OPENXPKI_SRC_DIR ] ; then
|
|
echo "Importing already cloned openxpki-config to $OPENXPKI_CONFIG_DIR";
|
|
cp -R $OPENXPKI_SRC_DIR $OPENXPKI_CONFIG_DIR;
|
|
else
|
|
echo "Cloning new copy of openxpki-config.."
|
|
git clone https://github.com/openxpki/openxpki-config --single-branch --branch=community
|
|
cp contrib/wait_on_init.yaml openxpki-config/config.d/system/local.yaml
|
|
echo "Importing freshly cloned openxpki-config to $OPENXPKI_CONFIG_DIR";
|
|
cp -R $OPENXPKI_SRC_DIR $OPENXPKI_CONFIG_DIR;
|
|
fi
|
|
|
|
echo "Starting to set up openxpki-config..";
|
|
|
|
if [ -d $OPENXPKI_CONFIG_DIR ] ; then
|
|
|
|
echo "Update realms.yaml to reference our realm"
|
|
sed -i "s/^democa/$REALM/" $OPENXPKI_CONFIG_DIR/config.d/system/realms.yaml;
|
|
sed -i "s/label\:.*$/label: ${REALM_LONG_NAME}/" $OPENXPKI_CONFIG_DIR/config.d/system/realms.yaml;
|
|
sed -i "s~baseurl:.*$~baseurl: ${REALM_URL}~" $OPENXPKI_CONFIG_DIR/config.d/system/realms.yaml;
|
|
|
|
echo "Move the sample realm-tree folder to our realm"
|
|
rm -f $OPENXPKI_CONFIG_DIR/config.d/realm/democa
|
|
mv $OPENXPKI_CONFIG_DIR/config.d/realm.tpl $OPENXPKI_CONFIG_DIR/config.d/realm/$REALM/;
|
|
mkdir -p ${OPENXPKI_CONFIG_DIR}/local/keys
|
|
|
|
echo "Set certificate expiration date in realm/profile/*.yaml"
|
|
sed -i "s~notafter\:.*$~notafter: +{$PROFILE_CERT_EXPIR}~" $OPENXPKI_CONFIG_DIR/config.d/realm/$REALM/profile/*.yaml;
|
|
|
|
# Change password for TEST accounts
|
|
sed -i "s~digest:.*$~digest: \"${TEST_ACC_PASSWD}\"~" $OPENXPKI_CONFIG_DIR/config.d/realm/$REALM/auth/handler.yaml;
|
|
|
|
echo "Update scep/default.conf to reference our realm"
|
|
sed -i "s/^realm = .*$/realm = ${REALM}/" $OPENXPKI_CONFIG_DIR/scep/default.conf;
|
|
|
|
echo "Update all other files to reference our realm"
|
|
|
|
sed -i "s/democa/${REALM}/g" ${OPENXPKI_CONFIG_DIR}/config/config.d/realm/${REALM}/auth/handler.yaml \
|
|
${OPENXPKI_CONFIG_DIR}/config/rpc/default.conf \
|
|
${OPENXPKI_CONFIG_DIR}/config/rpc/enroll.conf \
|
|
${OPENXPKI_CONFIG_DIR}/config/rpc/public.conf \
|
|
${OPENXPKI_CONFIG_DIR}/config/est/default.conf \
|
|
${OPENXPKI_CONFIG_DIR}/config/contrib/sampleconfig.sh \
|
|
${OPENXPKI_CONFIG_DIR}/config/webui/default.conf
|
|
else
|
|
echo "Error could not make configurations - missing files..."
|
|
exit 1
|
|
fi
|
|
|
|
OPENXPKI_CONFIG="${OPENXPKI_CONFIG_DIR}/config.d/system/server.yaml"
|
|
if [ -f "${OPENXPKI_CONFIG}" ]
|
|
then
|
|
eval `egrep '^user:|^group:' "${OPENXPKI_CONFIG}" | sed -e 's/: */=/g'`
|
|
else
|
|
echo "ERROR: It seems that openXPKI is not installed at the default location (${OPENXPKI_CONFIG_DIR})!" >&2
|
|
echo "Please install OpenXPKI or set OPENXPKI_CONFIG_DIR to the new PATH!" >&2
|
|
exit 1
|
|
fi
|
|
|
|
CA_DIR="${OPENXPKI_CONFIG_DIR}/ca"
|
|
CONTAINER_CA_DIR="/etc/openxpki/ca"
|
|
|
|
make_password() {
|
|
|
|
PASSWORD_FILE=$1;
|
|
touch "${PASSWORD_FILE}"
|
|
chown $user:root "${PASSWORD_FILE}"
|
|
chmod 640 "${PASSWORD_FILE}"
|
|
if [ -z "$KEY_PASSWORD" ]; then
|
|
dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 >"${PASSWORD_FILE}"
|
|
else
|
|
echo -n "$KEY_PASSWORD" > "${PASSWORD_FILE}"
|
|
fi;
|
|
|
|
}
|
|
|
|
# CA and certificate settings
|
|
#
|
|
|
|
BACKUP_SUFFIX='~'
|
|
GENERATION=$(date +%Y%m%d)
|
|
|
|
# root CA selfsigned
|
|
ROOT_CA="${COMPANY_NAME}_Root_CA"
|
|
ROOT_CA_REQUEST="${CA_DIR}/${ROOT_CA}.csr"
|
|
ROOT_CA_KEY="${CA_DIR}/${ROOT_CA}.key"
|
|
ROOT_CA_KEY_PASSWORD="${CA_DIR}/${ROOT_CA}.pass"
|
|
ROOT_CA_CERTIFICATE="${CA_DIR}/${ROOT_CA}.crt"
|
|
ROOT_CA_CERTIFICATE_POD="${CONTAINER_CA_DIR}/${ROOT_CA}.crt"
|
|
ROOT_CA_SUBJECT="/CN=${COMPANY_NAME} Root CA ${GENERATION}"
|
|
ROOT_CA_SERVER_FQDN="${FQDN}"
|
|
|
|
# issuing CA signed by root CA above
|
|
ISSUING_CA="${COMPANY_NAME}_Issuing_CA"
|
|
ISSUING_CA_REQUEST="${CA_DIR}/${ISSUING_CA}.csr"
|
|
ISSUING_CA_KEY="${CA_DIR}/${ISSUING_CA}.key"
|
|
ISSUING_CA_KEY_POD="${CONTAINER_CA_DIR}/${ISSUING_CA}.key"
|
|
ISSUING_CA_KEY_PASSWORD="${CA_DIR}/${ISSUING_CA}.pass"
|
|
ISSUING_CA_CERTIFICATE="${CA_DIR}/${ISSUING_CA}.crt"
|
|
ISSUING_CA_CERTIFICATE_POD="${CONTAINER_CA_DIR}/${ISSUING_CA}.crt"
|
|
ISSUING_CA_SUBJECT="/C=CH/O=${COMPANY_NAME}/OU=PKI/CN=${COMPANY_NAME} Issuing CA ${GENERATION}"
|
|
|
|
# SCEP registration authority certificate signed by root CA above
|
|
SCEP="${COMPANY_NAME}_SCEP_RA"
|
|
SCEP_REQUEST="${CA_DIR}/${SCEP}.csr"
|
|
SCEP_KEY="${CA_DIR}/${SCEP}.key"
|
|
SCEP_KEY_POD="${CONTAINER_CA_DIR}/${SCEP}.key"
|
|
SCEP_KEY_PASSWORD="${CA_DIR}/${SCEP}.pass"
|
|
SCEP_CERTIFICATE="${CA_DIR}/${SCEP}.crt"
|
|
SCEP_CERTIFICATE_POD="${CONTAINER_CA_DIR}/${SCEP}.crt"
|
|
SCEP_SUBJECT="/CN=${FQDN}:scep-ra"
|
|
|
|
# Apache WEB certificate signed by root CA above
|
|
WEB="${COMPANY_NAME}_WebUI"
|
|
WEB_REQUEST="${CA_DIR}/${WEB}.csr"
|
|
WEB_KEY="${CA_DIR}/${WEB}.key"
|
|
WEB_KEY_PASSWORD="${CA_DIR}/${WEB}.pass"
|
|
WEB_CERTIFICATE="${CA_DIR}/${WEB}.crt"
|
|
WEB_SUBJECT="/CN=${FQDN}"
|
|
WEB_SERVER_FQDN="${FQDN}"
|
|
|
|
# data vault certificate selfsigned
|
|
DATAVAULT="${COMPANY_NAME}_DataVault"
|
|
DATAVAULT_REQUEST="${CA_DIR}/${DATAVAULT}.csr"
|
|
DATAVAULT_KEY="${CA_DIR}/${DATAVAULT}.key"
|
|
DATAVAULT_KEY_POD="${CONTAINER_CA_DIR}/${DATAVAULT}.key"
|
|
DATAVAULT_KEY_PASSWORD="${CA_DIR}/${DATAVAULT}.pass"
|
|
DATAVAULT_CERTIFICATE="${CA_DIR}/${DATAVAULT}.crt"
|
|
DATAVAULT_CERTIFICATE_POD="${CONTAINER_CA_DIR}/${DATAVAULT}.crt"
|
|
DATAVAULT_SUBJECT='/CN=DataVault'
|
|
|
|
#
|
|
# openssl.conf
|
|
#
|
|
BITS=4096
|
|
DAYS=730 # 2 years (default value not used for further enhancements)
|
|
RDAYS="3655" # 10 years for root
|
|
IDAYS="1828" # 5 years for issuing
|
|
SDAYS="365" # 1 years for scep
|
|
WDAYS="1096" # 3 years web
|
|
DDAYS="$RDAYS" # 10 years datavault (same a root)
|
|
|
|
# creation neccessary directories and files
|
|
echo -n "creating configuration for openssl ($OPENSSL_CONF) .. "
|
|
test -d "${CA_DIR}" || mkdir -m 755 -p "${CA_DIR}" && chown ${user}:root "${CA_DIR}"
|
|
OPENSSL_DIR="${CA_DIR}/.openssl"
|
|
test -d "${OPENSSL_DIR}" || mkdir -m 700 "${OPENSSL_DIR}" && chown root:root "${OPENSSL_DIR}"
|
|
cd "${OPENSSL_DIR}";
|
|
|
|
OPENSSL_CONF="${OPENSSL_DIR}/openssl.cnf"
|
|
|
|
touch "${OPENSSL_DIR}/index.txt"
|
|
touch "${OPENSSL_DIR}/index.txt.attr"
|
|
echo 00 > "${OPENSSL_DIR}/crlnumber"
|
|
|
|
echo "
|
|
HOME = .
|
|
RANDFILE = \$ENV::HOME/.rnd
|
|
|
|
[ ca ]
|
|
default_ca = CA_default
|
|
|
|
[ CA_default ]
|
|
dir = ${OPENSSL_DIR}
|
|
certs = ${OPENSSL_DIR}/certs
|
|
crl_dir = ${OPENSSL_DIR}/
|
|
database = ${OPENSSL_DIR}/index.txt
|
|
new_certs_dir = ${OPENSSL_DIR}/
|
|
serial = ${OPENSSL_DIR}/serial
|
|
crlnumber = ${OPENSSL_DIR}/crlnumber
|
|
|
|
crl = ${OPENSSL_DIR}/crl.pem
|
|
private_key = ${OPENSSL_DIR}/cakey.pem
|
|
RANDFILE = ${OPENSSL_DIR}/.rand
|
|
|
|
default_md = sha256
|
|
preserve = no
|
|
policy = policy_none
|
|
default_days = ${DAYS}
|
|
|
|
# x509_extensions = v3_ca_extensions
|
|
# x509_extensions = v3_issuing_extensions
|
|
# x509_extensions = v3_datavault_extensions
|
|
# x509_extensions = v3_scep_extensions
|
|
# x509_extensions = v3_web_extensions
|
|
|
|
[policy_none]
|
|
countryName = optional
|
|
organizationName = optional
|
|
domainComponent = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
|
|
[ req ]
|
|
default_bits = ${BITS}
|
|
distinguished_name = req_distinguished_name
|
|
|
|
# x509_extensions = v3_ca_reqexts # not for root self signed, only for issuing
|
|
## x509_extensions = v3_datavault_reqexts # not required self signed
|
|
# x509_extensions = v3_scep_reqexts
|
|
# x509_extensions = v3_web_reqexts
|
|
|
|
[ req_distinguished_name ]
|
|
domainComponent = Domain Component
|
|
commonName = Common Name
|
|
|
|
[ v3_ca_reqexts ]
|
|
subjectKeyIdentifier = hash
|
|
keyUsage = digitalSignature, keyCertSign, cRLSign
|
|
|
|
[ v3_datavault_reqexts ]
|
|
subjectKeyIdentifier = hash
|
|
keyUsage = keyEncipherment
|
|
extendedKeyUsage = emailProtection
|
|
|
|
[ v3_scep_reqexts ]
|
|
subjectKeyIdentifier = hash
|
|
|
|
[ v3_web_reqexts ]
|
|
subjectKeyIdentifier = hash
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth, clientAuth
|
|
|
|
|
|
[ v3_ca_extensions ]
|
|
subjectKeyIdentifier = hash
|
|
keyUsage = digitalSignature, keyCertSign, cRLSign
|
|
basicConstraints = critical,CA:TRUE
|
|
authorityKeyIdentifier = keyid:always,issuer
|
|
|
|
[ v3_issuing_extensions ]
|
|
subjectKeyIdentifier = hash
|
|
keyUsage = digitalSignature, keyCertSign, cRLSign
|
|
basicConstraints = critical,CA:TRUE
|
|
authorityKeyIdentifier = keyid:always,issuer:always
|
|
#crlDistributionPoints = ${ROOT_CA_REVOCATION_URI}
|
|
#authorityInfoAccess = caIssuers;${ROOT_CA_CERTIFICATE_URI}
|
|
|
|
[ v3_datavault_extensions ]
|
|
subjectKeyIdentifier = hash
|
|
keyUsage = keyEncipherment
|
|
extendedKeyUsage = emailProtection
|
|
basicConstraints = CA:FALSE
|
|
authorityKeyIdentifier = keyid:always,issuer
|
|
|
|
[ v3_scep_extensions ]
|
|
subjectKeyIdentifier = hash
|
|
keyUsage = digitalSignature, keyEncipherment
|
|
basicConstraints = CA:FALSE
|
|
authorityKeyIdentifier = keyid,issuer
|
|
|
|
[ v3_web_extensions ]
|
|
subjectKeyIdentifier = hash
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth, clientAuth
|
|
basicConstraints = critical,CA:FALSE
|
|
subjectAltName = DNS:${WEB_SERVER_FQDN}
|
|
#crlDistributionPoints = ${ISSUING_REVOCATION_URI}
|
|
#authorityInfoAccess = caIssuers;${ISSUING_CERTIFICATE_URI}
|
|
" > "${OPENSSL_CONF}"
|
|
|
|
echo "done."
|
|
|
|
[ "$Debug" = 'true' ] || exec 2>/dev/null
|
|
echo "================================================================"
|
|
echo "Creating certificates .. "
|
|
|
|
# self signed root
|
|
if [ ! -e "${ROOT_CA_CERTIFICATE}" ]
|
|
then
|
|
echo "Did not find a root ca certificate file."
|
|
echo -n "Creating an own self signed root ca .. "
|
|
test -f "${ROOT_CA_KEY}" && \
|
|
mv "${ROOT_CA_KEY}" "${ROOT_CA_KEY}${BACKUP_SUFFIX}"
|
|
test -f "${ROOT_CA_KEY_PASSWORD}" && \
|
|
mv "${ROOT_CA_KEY_PASSWORD}" "${ROOT_CA_KEY_PASSWORD}${BACKUP_SUFFIX}"
|
|
make_password "${ROOT_CA_KEY_PASSWORD}"
|
|
openssl req -verbose -config "${OPENSSL_CONF}" -extensions v3_ca_extensions -batch -x509 -newkey rsa:$BITS -days ${RDAYS} -passout file:"${ROOT_CA_KEY_PASSWORD}" -keyout "${ROOT_CA_KEY}" -subj "${ROOT_CA_SUBJECT}" -out "${ROOT_CA_CERTIFICATE}"
|
|
echo "done."
|
|
fi
|
|
|
|
# signing certificate (issuing)
|
|
if [ ! -e "${ISSUING_CA_KEY}" ]
|
|
then
|
|
echo "Did not find existing issuing CA key file."
|
|
echo -n "Creating an issuing CA request .. "
|
|
test -f "${ISSUING_CA_REQUEST}" && \
|
|
mv "${ISSUING_CA_REQUEST}" "${ISSUING_CA_REQUEST}${BACKUP_SUFFIX}"
|
|
make_password "${ISSUING_CA_KEY_PASSWORD}"
|
|
openssl req -verbose -config "${OPENSSL_CONF}" -reqexts v3_ca_reqexts -batch -newkey rsa:$BITS -passout file:"${ISSUING_CA_KEY_PASSWORD}" -keyout "${ISSUING_CA_KEY}" -subj "${ISSUING_CA_SUBJECT}" -out "${ISSUING_CA_REQUEST}"
|
|
echo "done."
|
|
if [ -e "${ROOT_CA_KEY}" ]
|
|
then
|
|
echo -n "Signing issuing certificate with own root CA .. "
|
|
test -f "${ISSUING_CA_CERTIFICATE}" && \
|
|
mv "${ISSUING_CA_CERTIFICATE}" "${ISSUING_CA_CERTIFICATE}${BACKUP_SUFFIX}"
|
|
openssl ca -create_serial -config "${OPENSSL_CONF}" -extensions v3_issuing_extensions -batch -days ${IDAYS} -in "${ISSUING_CA_REQUEST}" -cert "${ROOT_CA_CERTIFICATE}" -passin file:"${ROOT_CA_KEY_PASSWORD}" -keyfile "${ROOT_CA_KEY}" -out "${ISSUING_CA_CERTIFICATE}"
|
|
echo "done."
|
|
else
|
|
echo "No '${ROOT_CA_KEY}' key file!"
|
|
echo "please sign generated request with the company's root CA key"
|
|
exit 0
|
|
fi
|
|
else
|
|
if [ ! -e "${ISSUING_CA_CERTIFICATE}" ]
|
|
then
|
|
echo "No '${ISSUING_CA_CERTIFICATE}' certificate file!"
|
|
if [ ! -e "${ROOT_CA_KEY}" ]
|
|
then
|
|
echo "No '${ROOT_CA_KEY}' key file!"
|
|
echo "please sign generated request with the company's root CA key"
|
|
exit 0
|
|
else
|
|
echo -n "Signing issuing certificate with own root CA .. "
|
|
openssl ca -create_serial -config "${OPENSSL_CONF}" -extensions v3_issuing_extensions -batch -days ${IDAYS} -in "${ISSUING_CA_REQUEST}" -cert "${ROOT_CA_CERTIFICATE}" -passin file:"${ROOT_CA_KEY_PASSWORD}" -keyfile "${ROOT_CA_KEY}" -out "${ISSUING_CA_CERTIFICATE}"
|
|
echo "done."
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# Data Vault is only used internally, use self signed
|
|
if [ ! -e "${DATAVAULT_KEY}" ]
|
|
then
|
|
echo "Did not find existing DataVault certificate file."
|
|
echo -n "Creating a self signed DataVault certificate .. "
|
|
test -f "${DATAVAULT_CERTIFICATE}" && \
|
|
mv "${DATAVAULT_CERTIFICATE}" "${DATAVAULT_CERTIFICATE}${BACKUP_SUFFIX}"
|
|
make_password "${DATAVAULT_KEY_PASSWORD}"
|
|
openssl req -verbose -config "${OPENSSL_CONF}" -extensions v3_datavault_extensions -batch -x509 -newkey rsa:$BITS -days ${DDAYS} -passout file:"${DATAVAULT_KEY_PASSWORD}" -keyout "${DATAVAULT_KEY}" -subj "${DATAVAULT_SUBJECT}" -out "${DATAVAULT_CERTIFICATE}"
|
|
echo "done."
|
|
fi
|
|
|
|
# scep certificate
|
|
if [ ! -e "${SCEP_KEY}" ]
|
|
then
|
|
echo "Did not find existing SCEP certificate file."
|
|
echo -n "Creating a SCEP request .. "
|
|
test -f "${SCEP_REQUEST}" && \
|
|
mv "${SCEP_REQUEST}" "${SCEP_REQUEST}${BACKUP_SUFFIX}"
|
|
openssl req -verbose -config "${OPENSSL_CONF}" -reqexts v3_scep_reqexts -batch -newkey rsa:$BITS -nodes -keyout "${SCEP_KEY}" -subj "${SCEP_SUBJECT}" -out "${SCEP_REQUEST}"
|
|
echo "done."
|
|
echo -n "Signing SCEP certificate with Issuing CA .. "
|
|
test -f "${SCEP_CERTIFICATE}" && \
|
|
mv "${SCEP_CERTIFICATE}" "${SCEP_CERTIFICATE}${BACKUP_SUFFIX}"
|
|
openssl ca -create_serial -config "${OPENSSL_CONF}" -extensions v3_scep_extensions -batch -days ${SDAYS} -in "${SCEP_REQUEST}" -cert "${ISSUING_CA_CERTIFICATE}" -passin file:"${ISSUING_CA_KEY_PASSWORD}" -keyfile "${ISSUING_CA_KEY}" -out "${SCEP_CERTIFICATE}"
|
|
echo "done."
|
|
fi
|
|
|
|
# web certificate
|
|
if [ ! -e "${WEB_KEY}" ]
|
|
then
|
|
echo "Did not find existing WEB certificate file."
|
|
echo -n "Creating a Web request .. "
|
|
test -f "${WEB_REQUEST}" && \
|
|
mv "${WEB_REQUEST}" "${WEB_REQUEST}${BACKUP_SUFFIX}"
|
|
openssl req -verbose -config "${OPENSSL_CONF}" -reqexts v3_web_reqexts -batch -newkey rsa:$BITS -nodes -keyout "${WEB_KEY}" -subj "${WEB_SUBJECT}" -out "${WEB_REQUEST}"
|
|
echo "done."
|
|
echo -n "Signing Web certificate with Issuing CA .. "
|
|
test -f "${WEB_CERTIFICATE}" && \
|
|
mv "${WEB_CERTIFICATE}" "${WEB_CERTIFICATE}${BACKUP_SUFFIX}"
|
|
openssl ca -create_serial -config "${OPENSSL_CONF}" -extensions v3_web_extensions -batch -days ${WDAYS} -in "${WEB_REQUEST}" -cert "${ISSUING_CA_CERTIFICATE}" -passin file:"${ISSUING_CA_KEY_PASSWORD}" -keyfile "${ISSUING_CA_KEY}" -out "${WEB_CERTIFICATE}"
|
|
echo "done."
|
|
fi
|
|
|
|
cd $OLDPWD;
|
|
# rm $TMP/*;
|
|
# rmdir $TMP;
|
|
|
|
# chown/chmod
|
|
chmod 400 ${CA_DIR}/*.pass
|
|
chmod 440 ${CA_DIR}/*.key
|
|
chmod 444 ${CA_DIR}/*.crt
|
|
chown root:root ${CA_DIR}/*.csr ${CA_DIR}/*.key ${CA_DIR}/*.pass
|
|
chown root:${group} ${CA_DIR}/*.crt ${CA_DIR}/*.key
|
|
echo "================================================================"
|
|
|
|
if [ ! -e "${OPENXPKI_CONFIG_DIR}/tls/chain" ]; then
|
|
mkdir -m755 -p ${OPENXPKI_CONFIG_DIR}/tls/chain
|
|
cp ${ROOT_CA_CERTIFICATE} ${OPENXPKI_CONFIG_DIR}/tls/chain/
|
|
cp ${ISSUING_CA_CERTIFICATE} ${OPENXPKI_CONFIG_DIR}/tls/chain/
|
|
c_rehash ${OPENXPKI_CONFIG_DIR}/tls/chain/
|
|
fi
|
|
|
|
if [ ! -e "${OPENXPKI_CONFIG_DIR}/tls/endentity/openxpki.crt" ]; then
|
|
mkdir -m755 -p ${OPENXPKI_CONFIG_DIR}/tls/endentity
|
|
mkdir -m700 -p ${OPENXPKI_CONFIG_DIR}/tls/private
|
|
cp ${WEB_CERTIFICATE} ${OPENXPKI_CONFIG_DIR}/tls/endentity/openxpki.crt
|
|
cat ${ISSUING_CA_CERTIFICATE} >> ${OPENXPKI_CONFIG_DIR}/tls/endentity/openxpki.crt
|
|
cp ${WEB_KEY} ${OPENXPKI_CONFIG_DIR}/tls/private/openxpki.pem
|
|
chmod 400 ${OPENXPKI_CONFIG_DIR}/tls/private/openxpki.pem
|
|
fi
|
|
|
|
|
|
|
|
echo "================================================================"
|
|
echo -n "Starting servers before running import ... "
|
|
|
|
echo "Create new openxpki Pod"
|
|
podman pod create --name openxpki_pod -p 8080:80 -p 8443:443
|
|
|
|
echo "Creating and start MariaDB container"
|
|
podman run -d --pod openxpki_pod \
|
|
--name openxpki_db \
|
|
-v /opt/openxpki/db:/var/lib/mysql:z \
|
|
-v /opt/openxpki/dbsock:/var/run/mysqld:z \
|
|
-v /opt/openxpki/config/contrib/sql/schema-mariadb.sql:/docker-entrypoint-initdb.d/schema-mariadb.sql:z \
|
|
-e MYSQL_DATABASE=openxpki \
|
|
-e MYSQL_USER=openxpki \
|
|
-e MYSQL_PASSWORD=openxpki \
|
|
-e MYSQL_ROOT_PASSWORD=topsecret \
|
|
mariadb:10 \
|
|
--default-authentication-plugin=mysql_native_password
|
|
|
|
echo "Creating and start OpenXPKI Server container"
|
|
|
|
podman run -d --pod openxpki_pod \
|
|
--name openxpki_server \
|
|
-v /opt/openxpki/config:/etc/openxpki:z \
|
|
-v /opt/openxpki/pkisock:/var/openxpki:z \
|
|
-v /opt/openxpki/dbsock:/var/run/mysqld:z \
|
|
-v /opt/openxpki/log:/var/log/openxpki:z \
|
|
-v /etc/localtime:/etc/localtime:ro \
|
|
whiterabbitsecurity/openxpki3 \
|
|
/usr/bin/openxpkictl start --no-detach
|
|
|
|
echo "Creating and start OpenXPKI Frontend container"
|
|
podman run -d --pod openxpki_pod \
|
|
--name openxpki_frontend \
|
|
-v /opt/openxpki/config:/etc/openxpki:z \
|
|
-v /opt/openxpki/pkisock:/var/openxpki:z \
|
|
-v /opt/openxpki/dbsock:/var/run/mysqld:z \
|
|
-v /opt/openxpki/log:/var/log/openxpki:z \
|
|
whiterabbitsecurity/openxpki3 \
|
|
/usr/bin/start-apache
|
|
|
|
echo "================================================================"
|
|
echo "Press Enter to continue..."
|
|
read
|
|
|
|
|
|
# the import command with the --key parameter takes care to copy the key
|
|
# files to the datapool or filesystem locations
|
|
podman exec -it openxpki_server openxpkiadm certificate import --file "${ROOT_CA_CERTIFICATE_POD}"
|
|
podman exec -it openxpki_server openxpkiadm alias --file "${DATAVAULT_CERTIFICATE_POD}" --realm "${REALM}" --token datasafe --key ${DATAVAULT_KEY_POD}
|
|
sleep 1;
|
|
podman exec -it openxpki_server openxpkiadm alias --file "${ISSUING_CA_CERTIFICATE_POD}" --realm "${REALM}" --token certsign --key ${ISSUING_CA_KEY_POD}
|
|
podman exec -it openxpki_server openxpkiadm alias --file "${SCEP_CERTIFICATE_POD}" --realm "${REALM}" --token scep --key ${SCEP_KEY_POD}
|
|
|
|
echo "done."
|
|
echo ""
|
|
|
|
# Setup the Webserver
|
|
podman exec -it openxpki_frontend a2enmod ssl rewrite headers
|
|
podman exec -it openxpki_frontend a2ensite openxpki
|
|
podman exec -it openxpki_frontend a2dissite 000-default default-ssl
|
|
|
|
podman exec -it openxpki_server cp ${ISSUING_CA_CERTIFICATE_POD} /etc/ssl/certs
|
|
podman exec -it openxpki_server cp ${ROOT_CA_CERTIFICATE_POD} /etc/ssl/certs
|
|
podman exec -it openxpki_server c_rehash /etc/ssl/certs
|
|
|
|
podman exec -it openxpki_frontend cp ${ISSUING_CA_CERTIFICATE_POD} /etc/ssl/certs
|
|
podman exec -it openxpki_frontend cp ${ROOT_CA_CERTIFICATE_POD} /etc/ssl/certs
|
|
podman exec -it openxpki_frontend c_rehash /etc/ssl/certs
|
|
|
|
echo "OpenXPKI configuration should be done and the server should be running..."
|
|
echo "" |